Saturday, August 11, 2012

Route and NAT with Linux

Getting a system to route is fairly easy. If your just interested in seeing the commands as a reminder, I have the examples at the bottom...if some of this is foreign and you need the context, keep reading.

It takes about three or four modifications before you're up and running, the first step will be to modify your running kernel to allow IP forwarding. First, modify your /etc/sysctl.conf file, and change net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1.Run sysctl -p to force the system to load the changes immediately. After the kernel is taken care of, we just need to tell your iptables chain what to do with packets.

First we need to add the following rules. I usually edit the /etc/sysconfig/iptables manually for this to ensure these statements go above the reject statements.

The philosophy here should be made obvious by the keywords "RELATED,ESTABLISHED". One side is a public side which should not readily accept connections that have not been previously established. My home lab has adjacent inside networks, both of which are trusted, so this is not the method I use - but good to keep in mind.

This is bear bones routing. Anything talking across this server, will need a route to do so. If you're going to use the example immediately above for an inside/outside network setup, you'll likely want to NAT as well.

In my setup, station11 has a share called public on the root directory - but only to station12. Station12 is redirecting... and NATing. I was able to mount station12:/public, from station13. I used this set up because I could verify that routing was working per the network seperation between stations 11 and 13. I could tell masquerading (NATing) was working because station13 has no permissions to mount that share directly (I even tested with just routing to be sure).

With an inside/outside network setup with masquerading, I would use my routing server as the default gateway for my inside systems. If I'm just routing between internal networks, then I create routes, like this: